jedisct1
commented
8 years ago Problem with HChaCha20 is that it hasn't been formally defined anywhere. Blake2 is slightly slower on short inputs, but offers more flexibility in addition to being well defined.
HChaCha20 is constructed the same way as ChaCha20, except that the final feedforward additions are not performed and only bytes 0-3 and 12-15 of the keystream are output; furthermore, both the nonce and stream position are provided as a single 128-bit number. It is proven secure as a PRF if ChaCha20 is a PRF (since the output of HChaCha20 and public information (Salsa20 constant, nonce, and stream position) suffice to compute part of the ChaCha20 keystream).
Since it is a keyed PRF, HChaCha20 can be used as a fast KDF for deriving a 256-bit subkey from another 256-bit key and a public 128-bit nonce, solving #336 . Since it is not invertable, it can be used for "hiding" the output of a Wegman-Carter style authenticator to avoid leaking the authentication key on nonce reuse. Compared to Blake2b, it is faster for such short inputs.
Alternatively, HSalsa20 could be used, with the usual tradeoffs compared to HChaCha20. I don't consider the implementation in
crypto_core_hsalsa20to be sufficient, since it is only used in implementing XSalsa20.The main reason for HChaCha20 over HSalsa20 is (IMO — take this with a grain of salt) that optimized ChaCha20 implementations will be easier to come by, since ChaCha20 is used in both TLS and SSH (as ChaCha20-Poly1305).